From d7c3d2cb460be10a3ea7b32e9443a83c243b2251 Mon Sep 17 00:00:00 2001
From: Alex Tutubalin <lexa@lexa.ru>
Date: Sat, 4 Mar 2017 21:27:39 +0300
Subject: [PATCH] Secunia SA75000 advisory: several buffer overruns

---
 dcraw/dcraw.c             | 12 ++++++++++--
 internal/dcraw_common.cpp | 12 ++++++++++--
 2 files changed, 20 insertions(+), 4 deletions(-)

Index: LibRaw-0.18.2/dcraw/dcraw.c
===================================================================
--- LibRaw-0.18.2.orig/dcraw/dcraw.c	2017-05-23 10:30:39.264790336 +0200
+++ LibRaw-0.18.2/dcraw/dcraw.c	2017-05-23 10:33:01.327208294 +0200
@@ -5841,8 +5841,14 @@ int CLASS parse_tiff_ifd (int base)
 	if (!strcmp(model,"DSLR-A100") && tiff_ifd[ifd].width == 3872) {
 	  load_raw = &CLASS sony_arw_load_raw;
 	  data_offset = get4()+base;
-	  ifd++;  break;
+	  ifd++;  
+#ifdef LIBRAW_LIBRARY_BUILD
+       if (ifd >= sizeof tiff_ifd / sizeof tiff_ifd[0])
+         throw LIBRAW_EXCEPTION_IO_CORRUPT;
+#endif  
 	}
+        /* not sure what is meant by that :) */
+        break; 
 	while (len--) {
 	  i = ftell(ifp);
 	  fseek (ifp, get4()+base, SEEK_SET);
@@ -6005,6 +6011,8 @@ int CLASS parse_tiff_ifd (int base)
 	break;
       case 50454:			/* Sinar tag */
       case 50455:
+        if (len < 1 || len > 2560000)
+          break;
 	if (!(cbuf = (char *) malloc(len))) break;
 	fread (cbuf, 1, len, ifp);
 	for (cp = cbuf-1; cp && cp < cbuf+len; cp = strchr(cp,'\n'))